How often does your company run Pen testing in relation to cybersecurity?

Governance, Risk & ComplianceData & AnalyticsBusiness Intelligence+1 more

Annually27%

Every 6 months42%

Quarterly19%

Monthly5%

Have never7%


227 PARTICIPANTS
1.9k views4 Comments
CISO in Software, 201 - 500 employees
Smart companies have a multi-level pen testing strategy which they dynamically align with the business. Doing one end2end semi-automated fuzz test may work just fine for a stable application with little volume of architectural/technology changes, providing that it is being scanned for vulnerabilities regularly and minor releases are accompanied with automated pen tests (say via Burp suite) which are integral part of regression testing. The same strategy could fail horribly in the early stages of development, when there are major architectural changes introduced shortly after the test, etc etc. Having a managed bug bounty program should be considered too, and the outcomes of this program should be used to refine the pen test plan too.
3
Associate Vice President, Information Technology & CISO in Education, 1,001 - 5,000 employees
We are moving toward continuous monitoring 365x7x24 on crown jewels.
2 2 Replies
CEO, MSSP - High Assurance Cybersecurity SOC in Services (non-Government), 1,001 - 5,000 employees

John, I'd be interested in knowing if your conmon plan replaces Pentesting or ? 

1
Associate Vice President, Information Technology & CISO in Education, 1,001 - 5,000 employees

The service we use is via Synack, and it's 24x7x365 pentesting / red teaming. We give them scope (e.g. IPs to test) and they have at it all year, and report back with exploitable vulnerabilities, with detailed reproduction steps and ways to fix. Once we fix, we submit for verification and they check again until it truly is fixed.

When there's a specific system / service we want to test, we use Synack for focused missions against that system / service.

It has been a really great solution, as traditional pentesting may throw 1, 2, maybe 3 testers at your solution if you're lucky. With the crowdsourced model you can have hundreds, with wide ranging skillsets, testing your system. The results speak for themselves, and I won't ever go back to the previous model.

3

Content you might like

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
42k views131 Upvotes319 Comments

Which is written correctly?

Security & GRCBusiness Continuity & Disaster Recovery

Cybersecurity45%

Cyber Security40%

Cyber-security5%

Information Security9%


504 PARTICIPANTS
1.2k views3 Upvotes1 Comment

Does the risk of Ransomware and malware propagation bother you? Is IoT security a top of mind for you? To protect against many risks, we have witnessed success of micro-segmentation in the data center. Would you be willing to deploy similar solution for the campus? I am very curious to get your feedback?

Security & GRCThreat & Vulnerability Management
Read More Comments
3.1k views5 Upvotes5 Comments

Are you considering a move to the Gartner SASE model?

Disruptive & Emerging TechnologiesEngineeringInfrastructure+4 more

Yes, going with a best of breed model - multi-vendor27%

Yes, going with a single vendor SASE model53%

Learning/Planning Phase11%

No.7%


129 PARTICIPANTS
374 views1 Comment

Any recommendations on OT security product? I tried pushing Crowdstrike but it wasn't approved by OEMs. Other two are Claroty and Nozomi. Any feedback either on above two or any other as per your experience?

Security & GRCStrategy & Architecture
Read More Comments
1.9k views1 Upvote2 Comments